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Abstract 

Auctions have a long history, having been recorded as early as 500 B.C. With 
the rise of Internet, electronic auctions have been a great success and are increas- 
ingly used. Many cryptographic protocols have been proposed to address the var- 
ious security requirements of these electronic transactions, in particular to ensure 
privacy. In 2006 Brandt [1] developed a protocol that computes the winner us- 
ing homomorphic operations on a distributed ElGamal encryption of the bids. He 
claimed that it ensures full privacy of the bidders, i.e. that no information apart 
from the winner and the winning price is leaked. We show that this protocol - 
when using interactive zero-knowledge proofs - is vulnerable to attacks by dis- 
honest bidders. Such bidders can manipulate the publicly available data in a way 
that allows the seller to deduce all participants' bids. Additionally, even if non- 
interactive zero-knowledge proofs are used, we show that the protocol is vulnera- 
ble to a different attack, which allows to recover one targeted bidder's bid. 

1 Introduction 

Auctions are a simple method to sell goods and services. Typically a seller offers a 
good or a service, and the bidders make offers. Depending on the type of auction, the 
offers might be sent using sealed envelopes which are opened simultaneously to de- 
termine the winner (the "sealed-bid" auction), or an auctioneer could announce prices 
decreasingly until one bidder is willing to pay the announced price (the "dutch auc- 
tion"). Additionally there might be several rounds, or offers might be announced pub- 
licly directly (the "English" or "shout-out" auction). The winner usually is the bidder 
submitting the highest bid, but in some cases he might only have to pay the second 
highest offer as a price (the "second-price"- or "Vickrey"- Auction). In general a bidder 
wants to win the auction at the lowest possible price, and the seller wants to sell his 
good at the highest possible price. For more information on different auction methods 
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see [8]. To address this huge variety of possible auction settings and to achieve dif- 
ferent security and efficiency properties numerous protocols have been developed, e.g. 
[1, 10, 3, 9, 12, 11, 7, 4, 14, 13, 16, 15, 20, 19, 17, 18]. 

One of the key requirements of electronic auction (e-Auction) protocols is privacy, 
i.e. that the bids of losing bidders remain private. In 2006 Brandt [1] proposed a first- 
price sealed-bid auction protocol and claimed that it is fully private, i.e. that it leaks 
no information apart from the winner, the winning bid, and what can be deduced from 
these two facts (for example that the other bids were inferior). 

Our Contributions. The protocol is based on an algorithm that computes the winner 
using bids encoded as bit vectors. In this paper we show that the implementation using 
the homomorphic property of a distributed Elgamal encryption proposed in the orig- 
inal paper suffers from a weakness that can in some cases be exploited by dishonest 
participants. In fact, we prove that any two different inputs (i.e. different bids) result in 
different outcome values, which are only hidden using random values. We show how 
a dishonest participant can remove this random noise, if interactive zero-knowledge 
proofs are used. The seller can then efficiently compute the bids of all bidders, hence 
completely breaking privacy. Next, we also show that even if this attack is prevented 
via non-interactive proofs, the protocol remains vulnerable to attacks on the privacy of 
a single bidder. This is due to a lack of authentication. 

Outline. In the next section, we recall the protocol by Brandt. Then, in Section 3, 
we present our attacks in several steps. We first study the protocol using interactive 
zero-knowledge proofs and without noise. Then we show how a dishonest participant 
can remove the noise. Finally, as the messages are not authenticated, we show that 
a malicious attacker in control of the network can recover any bidder's bid, even if 
non-interactive zero-knowledge proofs. 

2 The Protocol 

The protocol of Brandt [1] was designed to ensure full privacy in a completely dis- 
tributed way. It exploits the homomorphic properties of a distributed El-Gamal En- 
cryption scheme [5] for a secure multi-party computation of the winner. We first give a 
high level description of the protocol and then present details on the main cryptographic 
primitives it uses. 

2.1 Informal Description 

The participating n bidders and the seller communicate essentially using broadcast 
messages. The latter can for example be implemented using a bulletin board, i.e. an 
append-only memory accessible to everybody. The bids are encoded as fc-bit-vectors 
where each entry corresponds to a price. If the bidder a wants to bid the price b a , all 
entries will be 1, except the entry b a which will be Y (a public constant). Each entry 
of the vector is then encrypted separately using a rt-out-of-ri-encryption scheme set 
up by all bidders. The bidders use multiplications of the encrypted bids (exploiting 
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the homomorphic property) to compute values v a j. Each one of this values is 1 if the 
bidder a wins at price j, and is a random number otherwise. The decryption of the final 
values takes place in a distributed way to ensure that nobody can access intermediate 
values. 

In a nutshell, the protocol realizes the following steps: 

1. First, the distributed key is generated: each bidder chooses his part of the secret 
key and publishes the corresponding part of the public key. 

2. Each bidder then computes the joint public key, encrypts his bid-vector entry- 
wise using this key and publishes the result. 

3. Then the auction function is computed for every bidder using the homomorphic 
properties of the encryption scheme, see next paragraph. 

4. The outcome of this computation (n 2 ■ k encrypted values) are published on the 
bulletin board, and each bidder partly decrypts each value using his secret key. 

5. These shares are sent to the seller, who can combine them to obtain the result. 
The seller also publishes part of the shares so that each bidder can verify his 
winning or loosing situation. 

2.2 Mathematical Description 

We do not detail all proofs here except the one used in step 3 "Outcome computation". 
Indeed, our attack exploits the algebraic properties of the latter. We consider that i, h € 
{1, . . . , n}, j, bid a € {1, • • • , k} (where bid a is the bid chosen by the bidder with index 
a), Y £ G q \ {1}. More precisely, the n bidders execute the following five steps of the 
protocol [1]: 

1 . Key Generation 

Each bidder a, whose bidding price is bid a among k offers: 

• chooses a secret x a e Z q 

• choose randomly m° and r a j G Z q for each i and j. 

• publishes y a = g Xa and proves the knowledge of y a 's discrete logarithm. 



then computes y 



2. Bid Encryption 

Each bidder a 




• publishes a, 



b aj ■ y r "-i and /3« 



g Ta i for each j. 
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proves that for all j, log g (/3 OJ -) equals \og y {a a j) or log y and that 



3. Outcome Computation 

• Each bidder a computes and publishes for all i and j: 



s k 

n n a ^ 

h=l d=j+l 



«&=iin n 

/i=l d=j + l 



k 




and proves its correctness. 

4. Outcome Decryption 

n 

• Each bidder a sends 0° = ( JJ^ &ij) Xa for each i and j to the seller and 

h=l 

proves its correctness. After having received all values, the seller publishes 
(f>jj for all i, j, and h ^ i. 

5. Winner determination 



IT- 7a 

• Everybody can now compute v a j = '~ — J- for each j. 

lli=l Vaj 

• If u aw = 1 for some w, then the bidder a wins the auction at price p w . 



2.3 Proof of equality of two discrete logs 

In the original paper [1] the following interactive proof [2] is proposed to prove the 
correctness of 7^ and Sfy in step 3 of the protocol: Peggy and Victor know v, w, g\ 
and g2, and Peggy wants to prove that she knows x such that v = gf and w — <?f ; here 

,9i = lip 92 = $?j and x = ruff 

1 . Peggy chooses z at random and sends A = g\ and /i = to Victor. 

2. Victor chooses a challenge c at random and sends it to Peggy. 

3. Peggy computes r = (z + c ■ x) mod q and sends it to Victor. 

4. Victor tests if g\ = A • v c and g% = li • w c . 

This interactive protocol can be converted into a non-interactive one using the Fiat- 
Shamir heuristic [6]. 
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3 The Attacks 



We present two kinds of attacks. The first one uses some algebraic properties of the 
computations performed during the protocol execution. Then we discuss other attacks 
based on the lack of authentication of the protocol. 



3.1 Attacking the fully private computations 



For our main attack we analyze the computations done in step 3 of the protocol. Con- 
sider the following example with three bidders and three possible prices. Then the first 
bidder computes 
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The second and third bidder do the same computations, but using different random 
values mfj. Since each cty is either the encryption of 1 or Y, for example the value 
722 will be an encryption of 1 only if 

• nobody submitted a higher bid (the first block) and 

• bidder 2 did not bid a lower bid (the second block) and 

• no bidder with a lower index submitted the same bid (the third block). 

If we ignore the exponentiation by m° , each 7° is the encryption of the product of 
several fry 's. Each hj can be either 1 or Y, hence (7^) ™ iJ will be the encryption of 
a value Y lij , where < kj < n. The lower bound of Uj is trivial, the upper bound 
follows from the observation that each a«j will be used at most once, and that each 
bidder will encrypt Y at most once. 

Assume for now that we know all 1^, We show next that this is sufficient to obtain 
all bids. Consider the function / which takes as input the following vector 1 



b = logy ( bu 



b u 



hi, 



32fe, 



and returns the values kj. The input vector is thus a vector of all bid-vectors, where 1 
is replaced by and Y by 1. Consider our above example with three bidders and three 
possible prices, then we have 



logy 



hi, 612, hs 



hi, 



'By abuse of notation we write log a (xi 



hi, hi, 
in) for (log s (x 1 ), 



hi, 



hi , hz 
log s (x„)). 
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A particular instance where bidder 1 and 3 submit price 1, and bidder 2 submits price 
2 would then look as follows 

b = ( 1, 0, 0, 0, 1, 0, 1, 0, ) T 

Hence only the factors an, and 031 are encryptions of Y, all other a's are encryp- 
tions of 1. By simply counting how often the factors an, (X12 and 0:31 show up in each 
equation as described above, we can compute the following result of f(b): 

( 1, 1, 1, 2, 0, 1, 2, 1, 1 ) T 

Note that since we chose the input of / to be a bit-vector, we have to simply count 
the ones (which correspond to Y's) in particular positions in b, where the positions 
are determined by the factors inside 7° . Hence we can express / as a matrix, i.e. 
f(b) = M ■ b for the following matrix M : 



f(b) = M-b = 
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To see how the matrix M is constructed, consider for example 

(722r m " 2 = ("13 ' "23 ' «33) ' (C*2l) ' («12) 

which corresponds to the second row in the second vertical block: 

• ai2 and a\^\ hence the two ones at position 2 and 3 in the first horizontal block 

• «2i and C223; hence the two ones at position 1 and 3 in the second horizontal 
block 

• 033; hence the one at position 3 in the third horizontal block 

More generally, we can see that we each 3x3 block consists of potentially three parts: 

• An upper triangular matrix representing all bigger bids. 

• On the diagonal we add a lower triangular matrix representing a lower bid by the 
same bidder, 

• In the lower left half we add an identity matrix representing a bid at the current 
price by a bidder with a lower index. 

This corresponds exactly to the structure of the products inside each 7° . It is also 
equivalent to formula (1) in Section 4.1.1 of the original paper [1] without the random 
vector R* k . In the following we prove that the function / is injective. We then dis- 
cuss how this function can be efficiently inverted (i.e. how to compute the bids when 
knowing all iy's). 
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3.1.1 Preliminaries. 



Let I k be the k x k identity matrix. 

Let L k be a lower fc x k triangular matrix with zeroes on the diagonal, ones in 
the lower part and zeroes elsewhere. Let Uk be an upper k x k triangular matrix with 
zeroes on the diagonal, ones in the upper part, and zeroes elsewhere. In Figure 1 we 
give a representation of these matrices. By abuse of notation we use I, L and U to 
denote respectively Ik, Lk and Uk- 



h = 



1 
1 





L k = 





1 
1 1 



1 1 



0" 



1 



Uk = 



1 1 
1 



Figure 1: I k , L k and U k 

For a k x fc-matrix M k we define (M k ) r = M ■ ■ ■ M (r times) and (M k )° = Ik- 
Let (ei, . . . , e k ) be the canonical basis. 

Lemma 1. Matrices Lk and U k have the following properties, for < j < k and 

r > 0: 

j-r fc 
(U k ) r ■ e.j ■ = ^ e s an d ( L kY • ej = e s 

s—l s=j-\-r 

Lemma 2. Matrices Lk and Uk are nilpotent, i.e. (U k ) k — and (L k ) k = 0. 

This lemma follows immediately from Lemma 1 by computing (Uk) k • Ik and 

(Lk) ■ Ik- 

k 

Lemma 3. If^^Xi = 1 then we have Lk-x = \ — (I k +U k )-x, where 1 = (1, . . . , 1) T . 

»=i 



Proof. First note that since x, = 1, 
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1 - X fe 
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On the other hand, we have also: 



l-(h + U k )-x = l 



1 1 1 
1 1 
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□ 



Lemma 4. 



e\ ■ U 



k-t-l 



z = Zfc-t-i + ef ■ U 



k-t 



The proof follows immediately from the fact that e\ • U k x = (0, . . . , 0, 1, . . . , 1). 

k— x x 

As an immediate consequence we obtain the following corollary. 
Corollary 1. 



ej ■ U k - 1 ■ z = z k -t + e{ ■ U 



k-t+l 



■ Z 



Lemma 5. For z — ei — ej, we have that (L k + U k ) • z = —z. 

Proof. If i = j, then z = and the results is true. Suppose w.l.o.g. that i > j 
(otherwise we just prove the result for — z). Then 

i— 1 j — 1 i— 1 



Uk ■ (e, - ej) = ^2 e s - ^ e s = ^ . 



8=1 



Similarly 



Therefore 



k k 
L k -{ei-ej)= ^ e s - e s 

s=j+l 



=i+l 



i-1 



(L k + U k ) ■ (ei - ej) = ^2e s - ^ e s = e 3 

s=j s=j+l 



□ 



3.1.2 How to recover the bids when knowing the kj's. 

As discussed above, we can represent the function / as a matrix multiplication. Let M 
be the following square matrix of size nk x nk: 



M 



\U + L) U 

(U + I) (U + L) 

(U + I) ... 
{U + I) ... 



u 



u 
u 



(U + I) (U + L) U 

(U + I) (U + L) 
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Then 



f(b) =M-b 



The function takes as input a vector composed of n vectors, each of k bits. It returns 
the nk values kj, 1 < i < n and 1 < j < k. As explained above, the structure 
of the matrix is defined by the formula that computes 7?-, which consists essentially 
of three factors: Firstly we multiply all a.^ which encode bigger bids (represented by 
the matrix U), then we multiply all which encode smaller bids by the same bidder 
(represented by adding the matrix L on the diagonal), and finally we multiply by all 
otij which encode the same bid by bidders with a smaller index (represented by adding 
the matrix / on the lower triangle of M). In our encoding there will be a "1" in the 
vector for each Y in the protocol, hence / will count how many Ys are multiplied when 
computing 7^ . Using this representation we can prove the following theorem. 

Theorem 1. / is injective, i.e. for two different correct bid vectors 











u = 




and v = 






\UkJ 







with u ^ v we have M ■ u 7^ M ■ v. 

Proof. Let u and v be two correct bid vectors such that u/». We want to prove that 
M-u 7^ M -v. We make a proof by contradiction, hence we assume that M-u = M-v 
which is equivalent to M ■ (u — v) = 0. Because u and v are two correct bid vectors 
they only contain elements of the canonical basis (ei, . . . , e^), then 





- 




and v = 




- 




\u k J 








\v k J 




vw 



where a k and ej k are elements of the canonical basis. We denote u — v by z, conse- 
quently 





■ 


1 ei 1 ej 1 \ 


w 







Knowing that M ■ z = 0, we prove by induction on a that for all a the following 
property P(a) holds: 

P(a) : VI, < I < a,U k - 1 -z = 
This proves in particular that U° ■ z% = 0, i.e. z = which contradicts out hypothesis. 

• Case a = 1: We prove by induction for all 6 > 1 that the property Q(b) holds, 
where: 

Q(b) : Vm, < m < b, U^ 1 ■ z m = 
which gives us that U k ~ 1 ■ z = 0. 
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- Base case 6 = 1: We start by looking at the multiplication of the first row 
of M with z. We obtain: 

(L + U)-z 1 + U-(z 2 + ... + z k ) = 

We can multiply each side by U k ~ 1 , and use Lemma 5 to obtain: 

U*- 1 ■ [-zi + U-(z 2 + ...+ z k )\ = 

Since U is nilpotent, according to Lemma 2 the latter gives — U k ~ 1 -z\ = 0. 
Hence we know Q(l) : U k ~ 1 ■ Z\ = 0, i.e. that the last entry of z\ is 0. 

- Inductive step b + 1: Assume Q(b). Consider now the multiplication of the 
(6 + l)-th row of the matrix M : 

{U + 1) ■ Zl + . . . + (U + 1) ■ z b + {L + U) ■ z b+1 + U ■ {z b+2 + . . . + z k ) =0 

Then by multiplying by U k ~ x and using Lemma 5 we obtain 

U k - 1 -[(U + I)-z 1 + ... + (U + I)-z b -z b+1 + U-{z b+2 + ... + z k )]=0 

Since U is nilpotent according to Lemma 2 we have 

U k - X -ZI+... + U k - Y ■ z b - U k - X ■ z b+1 = 

Using the fact that for all m < b we have U k ~ 1 ■ z m — 0, the latter gives 
-XJ k - x ■ z b+1 - 0. 

• Inductive step a + 1: Assume P(a). By induction on b > 1 we will show that 
Q'(b) holds, where 

Q'(b) : Vm, < m < b, U k ~ {a+1) ■ z m = 

which gives us that U k ~ {a+1) ■ z = 0, i.e. P(a + 1). 

- Basecase6= 1: Consider the multiplication of the first row with jj k -( a + 1 ) : 

jjk-ia+i) .^ L + u y Zl + u .( Z2+ ^ + Zfe)] = o 

which can be rewritten as 

_ uk -{a+l) . ^ + jjk-a . + _ _ + z ^ = o 

Using U k ~ a ■ zi — for all I, we can conclude that 

_ f/ fe-(a+l) . Zl= Q 

i.e. Q'(l) holds. 
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- Inductive step 6 + 1: Assume Q'(b). Consider now the (b + l)-th row of 
the matrix M: 

{U+I)-z 1 + ... + (U + I)-z b + {L + U)-z b+1 + U-(z b+ 2 + ... + z k ) = 
Then by multiplying by [/ fc_ ( a + 1 ) and using Lemma 5 we obtain 
U k -( a +V.[(U+I)-zi + . . . + (U+I)-z b +-z b+1 +U-(z b+2 + . . .+z k )} = 
Using U k - a -zi=0 for all /, we can conclude that 

jjfe-Co+l) . J . Zx + _ _ _ + jjk-ia+l) .J. Zb _ Jjk-ia+l) . ^ = 

Using the fact that for all to < 6 we have [/ fe ~( a+1 ) • z m = 0, we can 
conclude that 

_ [/ fe-(a+l) . ^ = q 

i.e. Q'(b+1) holds. 

□ □ 

This theorem shows that if there is a constellation of bids that led to certain values 
lij, this constellation is unique. Hence we are able to inverse / on valid outputs. We 
will now show that this can be efficiently done. 

3.1.3 An efficient algorithm. 

Our aim is solve the following linear system: M ■ x = I. We will use the same steps 
we used for the proof of injectivity to solve this system efficiently. First note that 

M • x = I diagiU^- 1 ) ■ M ■ x = diagiU 1 '^ 1 ) ■ I 

where diag(U k ~ t ~ 1 ) is a nk x nk block diagonal matrix containing only diagonal 
blocks of the same matrix U k ~ t ~ 1 . We consider the r-th block of size k of the latter 
equality. We have x r = (x rt i,x r ,2, ■ ■ ■ , x r ,k)- When multiplying by ef we obtain the 
first line of this block. The r-th block of M ■ x is 

(U + 1) ■ xi + . . . + (U + 1) ■ x r -i + {L + U)-x r + U ■ x r+1 + . . . + U ■ x k 

k r-1 

= U ■ X i) + X i)+ L ' X r 

i=l i=l 

and the r-th block of / is l r . Hence 

= e T l -U k - t - 1 -l r 
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Using Lemma 4, we have 

/ / k 



u 



k-t 
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Using several times Corollary 1 we have: 



T rrk-t 



e{ ■ U 



e k-t 



■ [ ( E x j - 2 ■ X A = e i ■ uk ~ t+1 ■ U E ** J - 2 ■ ^ J + 

2-1 / / 



vt=l 

By a changing i to t — 1 in Equation (1) we get 



f=l / \i=l 



■•■('£■■ 



e l 



U 



k-t+l 



^ ^ J 2 • x r 



k-t 



E< 



+ t-e{- U k ^ ■ l r 



Xr,k — t 



Then regrouping the applications of Corollary 1 and the latter formula within Equa- 
tion (1), we obtain: 

Xr,k-t + Vk-t ' ^ ^E Xi ^ ~ 2 ' + e k-t-l ■ + l + l r,k-t-l = 2V,fc-t-l 

This gives us a formula to compute the values of Xij, starting with the last element 
of the first block x\^- Then we can compute the last elements of all other blocks 
X2,k> ■ ••> Xn,k, an d then the second to last elements x\ k-i> ■ ■ ■ > x n ,k-i an d so on - 
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Complexity Analysis. To obtain all values, we have to apply the above formula for 
each t < n and r < k, hence we have: 

]T]T(fc + r)=n. (W^^il) = \nk 2 + l -nk e O (nfc 2 ) 

t=l r=l ^ ' 

This is efficient enough to be computed on a standard PC for realistic values of n (the 
number of bidders) and k (the number of possible bids). Those could be less than a 
hundred bidders with a thousand different prices, thus requiring about the order of only 
a hundred million arithmetic operations. 



3.1.4 How to obtain the li 3 ;'s. 

In the previous section we showed that knowing the kj 's allows us the efficiently break 
the privacy of all bidders. Here is now how to obtain the lij's. 
The seller will learn all 



at the end of the protocol. Since the m^- are randomly chosen, this will be a random 
value if kj ^ 0. However a malicious bidder ("Mallory", of index a) can cancel out 
the m-j as follows: In step 3 of the protocol each bidder will compute his 7?- and Sfy 
Mallory waits until all other bidders have published their values, and then computes 
his values 7?- and 5fj as: 

n n ^) (n^) (n^)) [n^ 

h=ld=j+l / \d=l / \h=l J I \k^a 



«&= 1 in n M-fn^)-fin^])-iii*i 

.h=ld=j + l I \d=l / \h=l / / \k=£a 



The first part is a correct encryption of Y lij , with mfj = 1 for all i and j. The second 
part is the inverse of the product of all the other bidders 7^ and Sfj, and thus it will 
eliminate the random exponents. Hence after decryption the seller obtains Vij = Y lij , 
where kj < n for a small n. He can compute kj by simply (pre-)computing all possible 
values Y r and testing for equality. This allows the seller to obtain the necessary values 
and then to use the resolution algorithm to obtain each bidder's bid. Note that although 
we changed the intermediate values, the output still gives the correct result (i.e. winning 
bid). Therefore, the attack might even be unnoticed by the other participants. Note also 
that choosing a different Yi per bidder does not prevent the attack, since all the Yj need 
to be public in order to prove the correctness of the bid in step 2 of the protocol. 

However the protocol requires Mallory to prove that 7° and Sfj have the same 
exponent. This is obviously the case, but Mallory does not know the exact value of 
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this exponent. Thus it is impossible for him to execute the proposed zero-knowledge- 
proof-protocol directly. Yet, if interactive proofs are used, he is able to fake this proof 
as follows. 



First, note that we can rewrite 7?- and Sfj as: 



., k 

n n a ^ 

K h=l d=j+l 




k \ /j-l \ 



W 



«&=i in n ^ ■ • 

,h=ld=j + l I \d=l J \h=l 



92 

When Mallory is asked by Victor for a proof of correctness of his values, he starts by 
asking all other bidders for proofs. Each of them answers with values A Q = g\° and 
Mo = 92° ■ Mallory can then answer Victor with values A = f\ A^ 1 and fj, = J| Q 1 . 
Victor then sends a challenge c, which Mallory simply forwards to the other bidders. 
They answer with r a = z a + c ■ m°p and Mallory sends r = c — Y^ o r Q to Victor, 
who can check that g\ — A • v c and g r 2 — fi ■ w c . If the other bidders did their proofs 
correctly, then Mallory's proof will appear valid to Victor: 

a « c = n k 1 ■ U-^-^y =u^ ■ 9 r (Eo<) = 5 r Eo(zo+c<) 

o ^ ' o 



H ■ w 

Hence in the case of interactive zero-knowledge proofs Mallory is able to modify the 
values and Sfj as necessary, and even prove the correctness using the bidders. Hence 
the modifications may stay undetected, and the seller will be able to break privacy. 
Putting everything together, the attack works as follows: 

1. The bidders set up the keys as described in the protocol. 

2. They encrypt and publish their bids. 

3. They compute 7^ and 8^ and publish them. 

4. Mallory, who is a bidder himself, waits until all other bidders have published 
their values. He then computes his values as defined above, and publishes them. 

5. If he is asked for a proof, he can proceed as explained above. 

6. The bidders (including Mallory) jointly decrypt the values. 

7. The seller obtains all Y lij 's. He can then compute the k/s by testing at most n 
possibilities. 
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8. Once he has all values, he can invert the function / as explained above. 

9. He obtains all bidders bids. 

Again, note that for all honest bidders, this execution will look normal, so they might 
not even notice that an attack took place. 

3.2 Attacking the general protocol architecture 

The previous attack only works in the case of interactive proofs. If we switch to non- 
interactive proofs, Mallory cannot ask the other bidders for proofs using a challenge of 
his choice. 

However even with non-interactive zero-knowledge proofs the protocol is still vul- 
nerable to attacks on a targeted bidder's privacy. For example, we can exploit the fact 
that no message is authenticated. A malicious attacker in control of the network can 
hence impersonate any bidder of his choice, as well as the seller. In particular, if he 
wants to know Alice's bid, he can proceed as follows: 

1 . Mallory impersonates all other bidders. He starts by creating keys on their behalf 
and publishes the values t/j and the corresponding proofs for all of them. 

2. Alice also creates her secret keyshare and publishes y a together with a proof. 

3. Alice and Mallory compute the public key y. 

4. Alice encrypts her bid and publishes her a a j and /3y together with the proofs. 

5. Mallory publishes = a a j and = f3 a j for all other bidders i and also 
copies Alice's proofs. 

6. Alice and Mallory execute the computations described in the protocol and pub- 
lish 7 4 " and 5^. 

7. They compute 0"- and send it to the seller. 

8. The seller publishes the 0"- and computes the v a j. 

Since all submitted bids are equal, the seller (which might also be impersonated by 
Mallory) will obtain Alice's bid as the winning price, hence it is not private any more. 
This attack essentially simulates a whole instance of the protocol to make Alice indi- 
rectly reveal a bid that was intended for another, probably real auction. 

More generally, the lack of authentication allows Mallory to impersonate all of the 
bidders if he can control the network. Then Mallory can choose the bids of all the 
bidders, and therefore select the winner at a chosen price, breaking fairness. 
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4 Conclusion and Future Work 



In this paper we analyzed the protocol by Brandt [ 1 ] and showed that the underlying 
computations have a weakness. This weakness can be exploited by malicious bidders 
if interactive zero-knowledge proofs are used. When non-interactive zero-knowledge 
proofs are used, we also described a different attack which exploits the lack of authen- 
tication in the protocol. 

This shows that properties such as authentication are necessary to achieve other 
properties that might appear to be unrelated at first sight (like for instance privacy). 
It also makes it clear that there is a difference between computing the winner in a 
fully private way, and ensuring privacy for the bidders: if we use modified inputs, we 
can break privacy even if the computations themselves are secure. Additionally our 
analysis highlights that interactive and non-interactive proofs have different properties, 
and that this is an important choice in protocol design. All in all, the results underline 
that designing protocols is a complex task where the devil hides in the details. 
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